WinFixer Removal (MSEvents sub-case)

Please note that there are several different versions/variations of WinFixer... this thread will (only) consider one particular variation, which seems to be the most common.

Follow the board directions to generate a HiJackThis log for yourself... but do NOT post it in the forum (yet).   [if you're not sure how, see the forum instructions here http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=4987 

or my personalized instructions here  http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42884 ]

After you generate your log, look in the O2 section to see if you have a line that starts with:

O2 - BHO: MSEvents Object 

If you don't see such a line, then STOP HERE... either you don't have WinFixer, or you have a different variation of it....  and in these cases, you should now post your Log in the HiJackThis forum in order to obtain individualized assistance:  http://forums.us.dell.com/supportforums/board?board.id=si_hijack

If you're running Windows 95, 98, 98SE or ME, then STOP HERE... the fix described below is only for Windows XP and Windows 2000

If you do find an O2 - MSEvents line , you may continue on...

Make a note of the complete filename, including full path specification starting with the drive-letter:\, as shown on this O2 line.  I'll refer to this as your personalized file specification.   For example, if your log contained the line:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vturs.dll

then your personalized file specification would be  C:\WINDOWS\system32\vturs.dll

Similarly, if your Log contained the line:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system\webdrv.dll

then the personalized file specification would be  C:\WINDOWS\system\webdrv.dll

Remember this... we'll be using it shortly.

Now, click on the following link:

http://www.atribune.org/forums/index.php?showtopic=447&hl=killvundo

Scroll down that page, until you get to the reply/procedure  by Atribune.

[Note:  The procedure there recommends working in Safe Mode... if you have trouble getting into Safe Mode, then you should try it in regular mode.]

Note:  Concerning updated versions of VundoFix:  the VundoFix procedure is continually being updated by its author, and we have no control over [nor notification about] the changes.  Therefore, it is very important that you pay close attention to the specific directions, as they appear on the screen when you actually run the program, and follow them precisely as indicated.    The sample screens on the link I just sent you to were based on version V2.1... but as of 17 October 2005, the current version is V2.15... and the screen displays have been changed a little.   For example, it no longer displays the list of forums from which you should seek assistance.   Additionally, when you run the new version, you'll see that it now simply asks for the filepath, followed by a single ...  that is to say, it no longer instructs you to include and again .   These changes aside,  the key steps listed below (about typing in the two filenames) should still basically follow the indicated steps.

Follow the steps for the VundoFix procedure as described there by Atribune, until the point where it asks you to "Type in the filepath as instructed by the forum staff".

Rather than the particular filepath indicated there, you must instead use your personalized file specification (as i've defined above).  

[ Using my first example above, you should type-in:  C:\WINDOWS\system32\vturs.dll    

 ]

And further down, when it later asks you to

"Please type in the second filepath as instructed by the forum staff"

you need to MODIFY your personalized file specification in two ways:

first, you keep the same path beginning... but the "main" filename itself must be spelled BACKWARDS...

and second, instead of the filetype being dll , we replace it with an asterisk (star)   *

[So again, continuing with my first example above, this time, you should type in

C:\WINDOWS\system32\srutv.*  

]

To repeat / re-emphasize this point: the filename,  vturs , spelt backwards, gives us srutv  ;

and we have replaced .dll by .*

If HijackThis does not automatically run by itself (as indicated it should),  then you need to run it manually.   

We may still need to check-off and FIX two lines, if they're still present.   One is the

O2 - BHO: MSEvents Object line

that we found at the beginning, which gave us your personalized file specification.  

The other is a corresponding 

O20 - Winlogon Notify:

line that contains the very SAME personalized file specification.  

[If you see an O20-Winlogon line(s) with ANOTHER / DIFFERENT file name listed, do *NOT* check/fix it.]

[ In the first example we've been using,  the two lines to check-off and FIX CHECKED (if they're still present) would be:

O2 - BHO: MSEvents Object -  {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vturs.dll

and

O20 - Winlogon Notify: C:\WINDOWS\system32\vturs.dll

]

[If either of these lines aren't there any more, then the fix has already done the job !]

Please note that, as indicated there: 

Pressing any key will cause a "Blue Screen of Death" ;  [and as crazy as it may seem,]  THIS IS NORMAL... DO *NOT* WORRY!     Just restart your computer.